CISMP-V9 Practice Exam Questions and Answers

James is working with a software programme that completely obfuscates the entire source code, often in the form of a binary executable making it difficult to inspect, manipulate or reverse engineer the original source code.

What type of software programme is this?

What form of risk assessment is MOST LIKELY to provide objective support for a security Return on Investment case?

Which term describes a vulnerability that is unknown and therefore has no mitigating control which is immediately and generally available?

What Is the PRIMARY security concern associated with the practice known as Bring Your Own Device (BYOD) that might affect a large organisation?

In order to maintain the currency of risk countermeasures, how often SHOULD an organisation review these risks?

By what means SHOULD a cloud service provider prevent one client accessing data belonging to another in a shared server environment?

Which of the following is NOT an accepted classification of security controls?

Geoff wants to ensure the application of consistent security settings to devices used throughout his organisation whether as part of a mobile computing or a BYOD approach.

What technology would be MOST beneficial to his organisation?

When handling and investigating digital evidence to be used in a criminal cybercrime investigation, which of the following principles is considered BEST practice?

Why have MOST European countries developed specific legislation that permits police and security services to monitor communications traffic for specific purposes, such as the detection of crime?

When calculating the risk associated with a vulnerability being exploited, how is this risk calculated?

For which security-related reason SHOULD staff monitoring critical CCTV systems be rotated regularly during each work session?

How does the use of a "single sign-on" access control policy improve the security for an organisation implementing the policy?

What form of training SHOULD developers be undertaking to understand the security of the code they have written and how it can improve security defence whilst being attacked?

One traditional use of a SIEM appliance is to monitor for exceptions received via syslog.

What system from the following does NOT natively support syslog events?

Which type of facility is enabled by a contract with an alternative data processing facility which will provide HVAC, power and communications infrastructure as well computing hardware and a duplication of organisations existing "live" data?

Which algorithm is a current specification for the encryption of electronic data established by NIST?

What term is used to describe the act of checking out a privileged account password in a manner that bypasses normal access controls procedures during a critical emergency situation?

How might the effectiveness of a security awareness program be effectively measured?

1) Employees are required to take an online multiple choice exam on security principles.

2) Employees are tested with social engineering techniques by an approved penetration tester.

3) Employees practice ethical hacking techniques on organisation systems.

4) No security vulnerabilities are reported during an audit.

5) Open source intelligence gathering is undertaken on staff social media profiles.

What term refers to the shared set of values within an organisation that determine how people are expected to behave in regard to information security?

Which three of the following characteristics form the AAA Triad in Information Security?

1. Authentication

2. Availability

3. Accounting

4. Asymmetry

5. Authorisation

In a virtualised cloud environment, what component is responsible for the secure separation between guest machines?

A security analyst has been asked to provide a triple A service (AAA) for both wireless and remote access network services in an organization and must avoid using proprietary solutions.

What technology SHOULD they adapt?

Which of the following uses are NOT usual ways that attackers have of leveraging botnets?

In business continuity (BC) terms, what is the name of the individual responsible for recording all pertinent information associated with a BC exercise or real plan invocation?

According to ISO/IEC 27000, which of the following is the definition of a vulnerability?

You are undertaking a qualitative risk assessment of a likely security threat to an information system.

What is the MAIN issue with this type of risk assessment?

A system administrator has created the following "array" as an access control for an organisation.

Developers: create files, update files.

Reviewers: upload files, update files.

Administrators: upload files, delete fifes, update files.

What type of access-control has just been created?

When considering outsourcing the processing of data, which two legal "duty of care" considerations SHOULD the original data owner make?

1 Third party is competent to process the data securely.

2. Observes the same high standards as data owner.

3. Processes the data wherever the data can be transferred.

4. Archive the data for long term third party's own usage.

Which standards framework offers a set of IT Service Management best practices to assist organisations in aligning IT service delivery with business goals - including security goals?